from the internet-of-very-broken-things dept

By now it has been pretty well established that the security and privacy of most "internet of things" devices is decidedly half-assed. Companies are so eager to cash in on the IOT craze, nobody wants to take responsibility for their decision to forget basic security and privacy standards. As a result, we've now got millions of new attack vectors being introduced daily, including easily-hacked "smart" kettles, door locks, refrigerators, power outlets, Barbie dolls, and more. Security experts have warned the check for this dysfunction is coming due, and it could be disastrous.

Smart televisions have long been part of this conversation, where security standards and privacy have also taken a back seat to blind gee whizzery. Numerous set vendors have already been caught hoovering up private conversations or transmitting private user data unencrypted to the cloud. One study last year surmised that around 90% of smart televisions can be hacked remotely, something intelligence agencies, private contractors and other hackers are clearly eager to take full advantage of.

Consumer Reports this week released a study suggesting that things aren't really improving. The outfit, which is working to expand inclusion of privacy and security in product reviews, studied numerous streaming devices and smart TVs from numerous vendors. What they found is more of the same: companies that don't clearly disclose what consumer data is being collected and sold, aren't adequately encrypting the data they collect, and still don't seem to care that their devices are filled with security holes leaving their customers open to attack.

The company was quick to highlight Roku's many smart TVs and streaming devices, and the company's failure to address an unsecured API vulnerability that could allow an attacker access to smart televisions operating on your home network. This is one of several problems that has been bouncing around since at least 2015, notes the report:

"The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. “Roku devices have a totally unsecured remote control API enabled by default,” says Eason Goodale, Disconnect’s lead engineer. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign."

To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded."

Roku was quick to issue a blog post stating that Consumer Reports had engaged in the "mischaracterization of a feature," and told its customers not to worry about it:

"Consumer Reports issued a report saying that Roku TVs and players are vulnerable to hacking. This is a mischaracterization of a feature. It is unfortunate that the feature was reported in this way. We want to assure our customers that there is no security risk.

Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled."

Roku fails to mention that doing so disables the ability for consumers to control the device with Roku's own app, taking away valuable functionality from the end user (something Consumer Reports mentions in its write up). And Roku doesn't even address the other complaints in the report, including concerns that streaming hardware and TV companies aren't making data collection and third-party sales clear, aren't clearly showcasing their privacy policies, and often don't let users opt out of such collection without losing functionality (much like the broadband ISPs and numerous services and apps these devices are connected to).

Roku's response highlights the SOP approach (somebody else's problem) inherent in the IOT. As experts like Bruce Schneier have repeatedly noted, the tech industry is caught in a cycle of security dysfunction where nobody in the chain has any real motivation to actually fix the problem:

"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

Schneier has repeatedly warned that we need cooperative engagement between governments, companies, experts and the public to craft over-arching standards and policies. The alternative isn't just a few hacks and embarrassing PR gaffes now and again. The influx of millions of poorly secured internet-connected devices (many of which are being automatically integrated into historically-nasty botnets) is a massive dumpster fire with the potential for genuine human casualties. It's easy to downplay these kinds of reports as just "a few minor problems with a television set," but that ignores the massive scope of the problem and the chain of security and privacy apathy that has created it.

Reader Comments

I've got an old, pre-"smart" Samsung plasma. So far it's served me well, but of course eventually a day will come when I have to get another TV. It's a pity they all come with security vulnerabilities baked in now.

Re: Re:

Vulnerabilities might be in my old dumb TV. How are you going to hack it though? It has no internet connectivity, so you would have to hack a device then use that to hack the TV.

Then what? You have control of a TV that has no microphone, and no account data. Only thing TV could maybe do is tell you what I watch on other devices than the original one you hacked. There isn't really much data to steal from a dumb TV.

Re:

Re:

The seller of a dumb TV only makes money on the sale of what is now pretty much a low margin commodity item.

If they sell you a 'smart' TV with spy features, not only do they get the small profit from the sale of the TV, they get a continuing income stream from selling all of that data they collect on what you watch, when, with whom, etc. Plus they can get yet more money feeding you targeted ads based on that data.

Re: Re:

That is true. Of course then I am in effect encouraging their bad behavior. Also, still doesn't help the fact that TV makers are far to stingy with their HDMI ports. I have lot more than 3 devices and those external HDMI switches are just an added annoying complexity.

Re: Re:

That is not the case when you slow down and think about it some. TV's are very poorly supported. Updates are slow and often the TV "smart" features are laggy as %$@#%.

On the other hand I am hooking up playstation3, playstation4, xbox360, wii, wiiu, ouya, and so on. Almost every single one of those does a better job providing the "smart features" than even the best "smart TV".

Re: Re: Re:

How are you going to hack it though?

Send an ATSC signal. Maybe by buying an ad?

Then what?

Dunno. Brick it? Maybe stick a logo on the screen? Depends how much like a computer it is. If it's software running on a CPU, maybe there's a way to turn it into a useful transmitter (transmit a virus over ATSC?).

You have control of a TV that has no microphone

Any speaker is a microphone. Not necessarily a useful one if there's no way to get the data out or the amplifier interferes.

Re: Re:

The good news for Samsung owners is Consumer Reports found the TVs by themselves to be secure.

Not sure how much I'd trust it. They worked with Disconnect, who seem more focused on privacy than reverse-engineering/security. (“We were just looking for good security practices,” Rerecich says. “Encryption of personal or sensitive data, protection from common vulnerabilities, that sort of thing.”)

That's good but who knows about uncommon vulnerabilities? Contests like Pwn2Own (that involve good money) find some esoteric shit.

Re: Re: Re: Re:

If you're using an external box - like an XBox360 or Roku device - for your smart features, then you have to contend with THEIR security issues and leaking of your personal data and watching habits.

Maybe so, but there's a much higher probability that the external devices will receive security updates at all, let alone well after the purchase of the TV. It's also more cost-effective to replace a plugged-in device if it's found to be insecure than to replace the whole damned TV when the manufacturer can't be bothered to patch known vulnerabilities.

It's not every day that I read a post on the internet and the first two sentences are exactly what I think. And in this specific case, exactly what I repeat ad-nauseam when this subject comes in a discussion.

IoT -- we're not there yet. No smart TV, bulb or whatever for me. I'd love that, but once the security concern is tackled. We're soooo not there yet, thanks to greed.

Vendors don't care because customers don't care

I agree with Bruce Schneier that this is a problem that won't have a solution any time soon.

For the most part, vendors don't care about privacy because customers don't care about privacy or security. And many customers don't care about privacy because they don't know any better.

How many people realize that the "Which Harry Potter character are you" quizzes at Facebook allow the quiz-company full access to their public profile, including posts and photos?And how many people realize a "bad guy" can easily create one of these quizzes and then data-mine everyone who answers... right down to the person's street address, elementary school, and the name of their dog. In other words, the answers to many sites' "recover your password" security questions.

If people don't care about privacy and security on Facebook, then convincing them to care about their TV's is a much harder process.

Re: Vendors don't care because customers don't care

they dont understand or know what it is, does, or how to stop it..PART of this goes back to Snail mail and the change to computers..How much SPAM have you ever gotten in snail mail??How much SPAM do you get in EMAIL??THERE IS NO DIFFERENCE.

Iv seen email accounts getting over 100 emails per day, and they get overwhelmed. Iv seen SMART person divide email into sections..which works pretty well. only Email they want goes to the sections THEY WANT.. DUMP it before you even see it..

Re:

I don't have a TV, but I use a dumb, ceiling-mounted projector for all my TV/movie viewing. It connects to an HTPC via in-wall HDMI that took me about 20 minutes to wire. 4K screen and 100". What more could you want?